Re: Securing Laptops in an AD environment

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I am in a similar situation and have yet to find an answer to the biggest
hurdle in my environment: installaing local printers when the user is at home.
I've read about using TweakUI's access control options but that doesn't work.
Does anyone know how to give a local laptop user, not power user, rights to
install a printer locally.

Could you get into further technical depth as to how to succesfully
implement offline file browsing in an AD environment.

Thanks

Danny Sanders wrote:
We've been asked to set up a system where disconencted laptop users can
have
full credentials when disconnected ( i.e. like local administrator )

They would have to have a local account that is in the local admin group and
log on locally. They would log in locally when not connected to the network.
They would receive a different profile when this happens.

When
they reconnect, they have reduced ( user ) access. I've been digging
around
to no avail.

Their domain account would be only in the domain users group. They would log
in using their domain account when logging onto the domain.

Also, can anyone point me to a good article or whitepaper on how to
introduce laptops into an AD environment safely ( i.e. best practices ).

Best practices is for users not to have local accounts. Best practices is
not to have users as administrators.
I would suggest not giving them a local account and not giving them admin
rights to their computer. If they can do their work while logged into the
domain as a user, there is no reason to give them admin rights. They can log
in using cached credentials and do everything they could do while on the
domain.

Laptops can also take advantage of offline files. There really is no reason
to give them admin privileges even when off the network.

hth
DDS W 2k MVP MCSE

We've been asked to set up a system where disconencted laptop users can
have
[quoted text clipped - 10 lines]

Scot
.

Relevant Pages

  • Re: Securing Laptops in an AD environment
    ... here is what is required for a user to install/modify a local ... implement offline file browsing in an AD environment. ... I would suggest not giving them a local account and not giving them admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Securing Laptops in an AD environment
    ... implement offline file browsing in an AD environment. ... I would suggest not giving them a local account and not giving them admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Securing Laptops in an AD environment
    ... They would have to have a local account that is in the local admin group and ... Best practices is for users not to have local accounts. ... I would suggest not giving them a local account and not giving them admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to set up users as admin automatically?
    ... administrators group but that is not what I want because I don't want ... laptop will be admin. ... setup the local account just needs to set it up with Local Admin ...
    (microsoft.public.windowsxp.customize)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... *ADMIN* the ability to edit files as root is a REASONABLE thing to do. ... Then your environment does not meet ... you are even afforded security. ... run ALL the commands they want from the script, ...
    (alt.os.linux)